Sunlight Financial Services (Pty) Ltd - Notice of Administrative Sanction

Executive Committee: Commissioner: U. Kamlana I Deputy Commissioners: A. Ludin I K. Gibson I F. Badat ENQUIRIES: Kgomotso Molefe DIALLING NO.: (012) 367 7197 OUR REF: FSP32190 E-MAIL: Kgomotso.Molefe@fsca.co.za DATE: 3 July 2024 Ms. S Bothma Sunlight Financial Services (Pty) Ltd 41 Slabbert Avenue East Lynne Pretoria Per email: sanetb@sunlightfs.co.za NOTICE OF ADMINISTRATIVE SANCTION

1. NOTICE 1.1. The Financial Sector Conduct Authority (FSCA) is satisfied that Sunlight Financial Services (Pty) Ltd (SFS), an authorised financial services provider and an accountable institution as envisaged in terms of item 12 of schedule 1 to the FIC Act, has failed to comply with the Financial Intelligence Centre Act 38 of 2001 (the FIC Act). Accordingly, the FSCA hereby issues this Administrative Sanction Notice (the Notice). 1.2. The non-compliance was identified in an inspection conducted by the FSCA on SFS in terms of section 45B of the FIC Act of which the final report was issued on 15 June
3. NATURE OF ALLEGED NON-COMPLIANCE 2.1. Risk Management and Compliance Programme (RMCP) 2.1.1. In terms of section 42(1) of the FIC Act, an accountable institution must develop, document, maintain and implement a programme for anti-money laundering and counter terrorist financing risk management and compliance.

2 2.1.2. Section 42(2) of the FIC Act states that, “a risk management and compliance programme must- (a) Enable the accountable institution to- (i) Identify; (ii) Assess; (iii) Monitor; (iv) Mitigate; and (v) Manage, the risk that the provision by the accountable institution of new and existing products or services may involve or facilitate money laundering activities, the financing of terrorist and related activities or proliferation financing activities;” 2.1.3. The findings of the aforementioned inspection revealed that SFS have contravened sections 42(1) and (2) of the FIC Act for the following reasons: 2.1.3.1. At the time of the inspection, SFS provided the FSCA with a copy of its Risk Management Compliance Programme (RMCP), however, upon assessment for technical compliance with the FIC Act, it was found to be deficient in the following manner: • The risk matrix was found to be inadequate in that the risk factors and risk criteria adopted are not aligned to the business operations of the accountable institution. The risk matrix does not take into account the relevant money laundering (ML) / terrorist financing (TF) / proliferation financing (PF) risks and mitigating factors applicable to its business. Moreover, the RMCP does not indicate the customer due diligence (CDD) required per level of risk – Low, Medium, High. The risk factors applied and weightings allocated do not enable SFS to properly risk rate clients. SFS indicated that the current portfolio of clients is marked low risk because of the type of services and products sold. The assessment of ML/TF risks does not only involve the

3 assessment of products/services risks, but also client risks, geographical risks, distribution risks, etc. Accordingly, the RMCP does not enable the accountable institution to properly identify, assess and mitigate ML and TF risks associated with the provision of products or services to its clients. • The RMCP does not make provision for the manner in which the institution determines if a person is a prospective client in the process of establishing a business relationship or entering into a single transaction with the institution; or a client who has established a business relationship or entered into a single transaction as required in terms of section 42(2)(b) of the FIC Act. • The RMCP does not provide for the manner in which and the processes by which the establishment and verification of the identity of persons whom the accountable institution must identify in terms of Part 1 of this Chapter is performed in the institution in accordance with section 42(2)(d) of the FIC Act. SFS indicated that it conducts identification and verification through an online system called Q-Link, however, the RMCP was found to be silent on the detailed process to be undertaken to verify a person. • The RMCP does not make provision for the manner in which and the processes by which ongoing due diligence and account monitoring in respect of business relationships is conducted by the institution as required pursuant to section 42(2)(g) of the FIC Act. The RMCP specifies that the frequency and intensity of the ongoing due diligence will be conducted every year when the

4 facility is reviewed – yearly client visits, however the RMCP was found to be silent on how ongoing due diligence and account monitoring processes will be conducted. • The RMCP does not provide for the manner in which and the process by which the institution will confirm information relating to a client when it has doubts about the veracity of previously obtained information and when reporting suspicious and unusual transactions in accordance with section 21D as required in terms of section 42(2)(i) of the FIC Act. The RMCP is silent on the processes to be followed to confirm information received from a client if the accountable institution is in doubt. • The RMCP does not set out the manner in which and the processes by which the institution will perform the customer due diligence requirements in accordance with sections 21, 21A, 21B and 21C when, during the course of a business relationship, the institution suspects that a transaction or activity is suspicious or unusual as contemplated in section 29 in accordance with 42(2)(j) of the FIC Act. The RMCP indicates that once the conclusion is reached that a suspicious or unusual situation exists, the transaction must be reported, and the accountable institution may decide to continue with conclusion of the transaction. All necessary information to complete the report must be provided. However, the RMCP does not stipulate the processes to be followed to obtain CDD information to enable reporting. • The RMCP does not provide for provide for the manner in which the accountable institution will terminate an existing business relationship as contemplated in section 21E as required in accordance with section 42(2)(k) of the FIC Act.

5 • The RMCP does not make provision for the manner in which and the processes by which the accountable institution conducts enhanced due diligence for higher risk single transactions and business relationships and when simplified customer due diligence might be permitted in the institution in accordance with section 42(2)(m) of the FIC Act. • The RMCP does not enable the institution to determine when a transaction or activity is reportable to the Centre under Part 3 of this Chapter as per the provisions of section 42(2)(o) of the FIC Act. Similarly, the RMCP does not make provision for the processes for reporting information to the Centre under Part 3 of this Chapter as required in terms of section 42(2)(p) of the FIC Act. The RMCP failed to include the process of scrutinising clients in the RMCP (contravention of section 28A read with Guidance Note 7 and PCC 44). • The RMCP does not make provision for the processes for the institution to implement its RMCP in accordance with section 42(2)(r) of the FIC Act. The RMCP failed to address the method and process in terms of which the accountable institution will implement its RMCP. • SFS does not indicate in its RMCP if any paragraph of subsection (2) is not applicable to that accountable institution and the reason why it is not applicable as required in terms of section 42(2A) of the FIC Act. SFS failed to state in its RMCP that sections 42(2)(f), (h), (l) of the FIC Act are not applicable for the following reasons:

• SFS does not have legal entities or trusts as clients,

6

• SFS focuses on funeral policies and investments of lower amounts only, with no exposure to difficult/complex investment products, and
• SFS does not have clients that are foreign or domestic politically exposed persons or a prominent influential person; and does not envisage any to become a client in the current market – target market. • The accountable institution failed to make documentation describing its RMCP available to each of its employees involved in transactions to which this Act applies as required in terms of section 42(3) of the FIC Act. The RMCP is silent on the availability of the RMCP and its accessibility by all relevant staff. 2.1.4. Accordingly, SFS failed to develop and document several processes and procedures regarding the manner in which it will implement ML, TF and PF risk management and compliance, as required in terms of section 42 of the FIC Act. 2.1.5. SFS also failed to implement their RMCP in contravention of section 42(1) of the FIC Act, for the following reasons: 2.1.5.1. During the aforementioned inspection, it was found that the accountable institution did not establish and verify the identity of clients and conduct ongoing due diligence in respect of a business relationship in accordance with an RMCP as developed at the level of the accountable institution. This constitutes a 100% failure of the clients sampled. 2.1.5.2. While SFS obtained bank statements, “persal” numbers and ID copies to onboard a client, this was informed by the requirements of the policy provider and not as per the business risk considerations

7 for purposes of developing measures to be applied in respect of implementing its own RMCP. 2.1.5.3. Furthermore, it was also found that SFS failed to risk rate 57 out of 57 sampled clients (100% failure). 2.3. Training 2.3.1. In terms of section 43 of the FIC Act, an accountable institution must provide ongoing training to its employees to enable them to comply with the provisions of the FIC Act and the RMCP, which are applicable to them. 2.3.2. The findings of the aforementioned inspection revealed that the accountable institution failed to provide ongoing training to staff. 2.3.3. The RMCP provides that staff will receive refresher FIC Act Training or on an annual basis via in-house awareness. Furthermore, it is provided that a training register will always be kept up to date. This was found to not be the case. 2.3.4. Accordingly, SFS failed to provide its staff with ongoing training as required in terms of the FIC Act and the implementation of its RMCP. 2.4. Targeted Financial Sanctions (TFS) 2.4.1. In terms of section 28A read with section 26A – 26C of the FIC Act and Guidance Note 7, an accountable institution is required to scrutinise (screen) client information to determine whether their clients are listed in terms of section 25 of Protection of Constitutional Democracy Against Terrorist and Related Activities Act, 2004 (POCDATARA) and listed by the Security Council of the United Nations contemplated in a notice referred to in section 26A (1) of the FIC Act. 2.4.2. Section 28A(3) of the FIC Act states that “an accountable institution must upon- (a) …; or

8 (b) notice being given by the Director under section 26A(3), Scrutinise its information concerning clients with whom the accountable institution has business relationships in order to determine whether any such client is a person or entity mentioned in the proclamation by the President or the notice by the Director.” 2.4.3. The findings of the aforementioned inspection revealed that SFS have contravened section 28A read with section 26B of the FIC Act in that accountable institution failed to scruitinise (screen) 57 out of 57 sampled clients were against the TFS Lists (100% failure). 3. REASONS FOR IMPOSING THE ADMINISTRATIVE ACTION 3.1. SFS’ non-compliance as detailed above is a serious violation of the provisions of the FIC Act. 3.2. All accountable institutions were given 18 months to implement the provisions of the Financial Intelligence Centre Amendment Act No. 1 of 2017 which introduced the risk￾based approach to client identification and verification and provided for the RMCP. 3.3. The importance of the risk-based approach is underscored by the fact that this is the very first recommendation of the Financial Action Task Force of which South Africa is a member jurisdiction and required to comply with its recommendations. 3.4. The RMCP is the cornerstone of compliance with the FIC Act, combatting ML/TF and PF. Non-compliance with sections 42(1) and (2) of the FIC Act is seen in a serious light by the FSCA. 3.5. By understanding and managing ML, TF and PF risks, as required in terms the of FIC Act and in accordance with the RMCP, an accountable institution not only protects its business from harm or loss but also contributes to the broader financial stability and integrity of the South African financial system. 3.6. It is imperative that accountable institutions comply with their FIC Act obligations as CDD measures, including the screening of clients against the TFS Lists, will mitigate

9 the risk of accountable institutions being exploited by their clients for ML, TF or PF purposes. 3.7. SFS has been found to be non-compliant with the provisions of the FIC Act for its failure to (i) document, develop and maintain processes when implementing its RMCP in line with the nature, size and complexity of its business, (ii) conduct CDD and risk rate clients, (iii) provide training and (iv) screen clients against the TFS lists. 3.8. The FSCA has taken into consideration that SFS has cooperated with the FSCA before, during and after the inspection. SFS has acknowledged the aforementioned non-compliance and has taken measures to remediate the findings and update its RMCP: 3.8.1. The FSCA issued a copy of the draft inspection report to SFS on 09 April 2023. SFS submitted its representations to the FSCA on 28 April 2023. 3.8.2. The representations were duly considered and a feedback letter with a copy of the final inspection report was subsequently issued to SFS on 15 June 2023. The accountable institution responded on 28 June 2023 and provided the FSCA with an updated RMCP. 3.8.3. Upon technical assessment of the updated RMCP, it was found that only minor changes were effected and that the RMCP remained deficient. Moreover, SFS did not provide evidence proving that the accountable institution subsequently risk rated and subjected the sampled clients to TFS screening in remediation of the non-compliances. 3.8.4. The FSCA issued a Notice of Intention to Sanction on 11 March 2024. On 27 March 2024, SFS requested for an extension to submit its representations until 15 April 2024. The FSCA granted the extension and on 15 April 2024, the accountable institution provided its representations which included, but not limited to the following supplementary documentation: 3.8.4.1. a copy of the revised RMCP; 3.8.4.2. proof that clients were risk rated; 3.8.4.3. training registers (March 2022, February 2023, June 2023 and March 2024); and

10 3.8.4.4. client CDD information. 3.8.5. However, it was noted that SFS did not provide evidence proving that the sampled clients were subsequently screened against the TFS lists in remediation of the non-compliance. 3.8.6. Additionally, while the revised RMCP showed improvement, there was still non-compliance identified in respect of certain areas, namely, sections 42(2)(i), (k), (o), (p), (r), (2A) and (3) of the FIC Act: 3.8.6.1. The RMCP is still silent on the processes to be followed to confirm information received from a client if the accountable is in doubt about the veracity of the information. 3.8.6.2. The RMCP does not outline the details of the exact process or steps that SFS will follow when the accountable institution terminates an existing business relationship. 3.8.6.3. The RMCP does not enable the institution to determine when a transaction or activity is reportable to the Centre and processes for reporting information to the Centre. 3.8.6.4. The RMCP does not specify the method and process in terms of which the accountable institution will implement its RMCP. The RMCP does not in accordance with section 42(2A) of the FIC Act specify with certainty that sections 42(2)(f), (h), (l) of the FIC Act are not applicable for the following reasons:

• SFS does not have legal entities or trusts as clients,
• SFS focuses on funeral policies and investments of lower amounts only, with no exposure to difficult/complex investment products, and
• SFS does not have clients that are foreign or domestic politically exposed persons or a prominent influential

11 person; and does not envisage any to become a client in the target market. 3.8.6.5. The RMCP provides that the FICA Compliance Officer, is responsible for ensuring that the RMCP is available to all employees. However the manner in which the RMCP will be made available has not been set out. 3.8.7. The FSCA has a record of regulatory action instituted against SFS in 2022 for the failure to pay levies as required in terms of the Financial Advisory and Intermediary Services Act 37 of 2002. SFS has provided evidence that the accountable institution has since remediated this non-compliance and the records of the FSCA indicate that this case has been finalised. 4. PARTICULARS OF THE ADMINISTRATIVE SANCTION 4.1. In terms of section 45C(1), read with sections 45C(3)(a), (c) & (e), and 45C(6)(a) of the FIC Act, the FSCA hereby imposes the following administrative sanction on SFS: 4.1.1. A directive to remediate all deficiencies addressed in paragraph 2 above and to provide evidence to the FSCA on or before 13 December 2024. SFS is hereby directed to: 4.1.1.1. update its RMCP to show the manner in which and the processes by which SFS will comply with sections 42(2)(i), (k), (o), (p), (r), (2A) and (3) of the FIC Act. The revised RMCP must also be approved by the senior management of SFS; 4.1.1.2. scruitinise the information of the 57 sampled clients against the TFS list, and 4.1.1.3. review all client files and ensure that all clients are risk rated and CDD information has been obtained as prescribed in the FIC Act and in terms of the approved RMCP. SFS is required to also ensure that all clients are screened against the TFS list in accordance with the FIC Act and in terms of the approved RMCP. 4.1.2. A caution not to repeat the conduct which led to the aforementioned non￾compliance detailed in paragraph 2 above.

12 4.1.3. A financial penalty of R200 000 for non-compliance with sections 42(1) and (2) read with section 21(1) of the FIC Act. 4.1.4. A financial penalty of R100 000 for non-compliance with sections 43 of the FIC Act. 4.1.5. A financial penalty of R300 000 for non-compliance with section 28A read with section 26B of the FIC Act. 4.2. SFS is directed to pay the R300 000.00 of the financial penalty on or before 31 July 2024. 4.3. The payment of the remaining R300 000.00 of the total financial penalty is hereby suspended for a period of 3 years from the date of this Administrative Sanction, on condition that SFS complies with the directive issued in paragraph 4.1.1 above and remains fully compliant with sections 42(1) and (2), 21(1), 43 and section 28A read with section 26 of the FIC Act. 4.4. Should SFS be found to be non-compliant with provisions of the FIC Act detailed in paragraph 4.3. above, within the 3 years suspension period, the suspended penalty of R300 000.00 becomes immediately payable. 4.5. The financial penalty is payable via electronic fund transfer to: Account Name : NRF – FIC Act Sanctions Account Holder : National Treasury Account Number : 80552749 Bank : South African Reserve Bank Code : 910145 Reference : FIC Sanction – Sunlight Financial Services 4.6. Proof of payment must be submitted to the FSCA at Charl Geel (charl.geel@fsca.co.za).

13 5. RIGHT OF APPEAL 5.1. In terms of section 45D of the FIC Act, read with Regulation 27C of the Regulations promulgated in terms of GN R1595 in GG 24176 of 20 December 2002 as amended, SFS may lodge an appeal within 30 days, from the date of receipt of the Notice. The notice of appeal and proof of payment of the mandatory appeal fee must be:- 5.1.1. hand delivered to: The Secretary: The FIC Act Appeal Board Byls Bridge Office Park, Building 11 13 Candela Street Highveld Extension Centurion 5.1.2. sent via electronic mail to: The HOD: Office of General Counsel FSCA Attention: Mr S Rossouw (Stefanus.Rossouw@fsca.co.za) 5.2. The Secretary of the FIC Act Appeal Board may be contacted at AppealBroardSecretariat@fic.gov.za and telephonically at (012) 641-6243 should SFS require further information regarding the appeal process. Details of the appeal process can also be found on the FIC’s website at www.fic.gov.za. 6. FAILURE TO COMPLY WITH THE ADMINISTRATIVE SANCTION 6.1. In terms of section 45(C)(7)(b) of the FIC Act, should SFS fail to pay the prescribed financial penalty in accordance with this notice and an appeal has not been lodged within the prescribed period, the FSCA may forthwith file with the clerk or registrar of a competent court a certified copy of this notice, which shall thereupon have the effect of a civil judgement lawfully given in that court in favour of the FSCA.

14 7. PUBLICATION OF SANCTION 7.1. The FSCA will make public the decision and the nature of the sanction imposed in terms of section 45C(11) of the FIC Act. Yours faithfully

---

Unathi Kamlana Commissioner